RE: [saml-dev] the value of AuthnInstant

["Cahill, Conor P" <conor.p.cahill@intel.com>]

As I said before, I think this is the correct reading of the current
core spec (as in other interpretations are wrong).  From the preamble 
in section 2.7.2:

	The <AuthnStatement> element describes a statement by the SAML
authority
	asserting that the assertion subject was authenticated by a
particular
	means at a particular time.

and the description of AuthnInstant (an attribute of the
<AuthnStatement>):

	Specifies the time at which the authentication took place....

I don't think this leaves much to deployment/implementation
interpretation.

Conor

> -----Original Message-----
> From: Tom Scavo [mailto:trscavo@gmail.com]
> Sent: Monday, February 11, 2008 4:57 PM
> To: Cahill, Conor P
> Cc: Scott Cantor; SAML Developers
> Subject: Re: [saml-dev] the value of AuthnInstant
> 
> That makes total sense, Conor.  Your words could be considered errata,
I
> think.
> 
> Tom
> 
> On Feb 11, 2008 4:20 PM, Cahill, Conor P <conor.p.cahill@intel.com>
wrote:
> > Yes, a cookie could be considered
> > some form of authentication.  However, if the IdP says in the AC
that
> > the
> > user presented username/password, then the AuthnInstant has to be
when
> > that
> > took place, not when some session cookie was presented to the IdP.
> >
> > So, yes, if I have an AuthnContext that says "Got a cookie", then
the
> > AuthnInstant can match the IssueInstant.
> >
> > Conor